Fortify has identified a new class of bug that is designed to take advantage of the atmosphere of trust that occurs while developers are playing with open source code. It’s called build-process injection, a Trojan horse that allows hackers to insert malicious code into the target program while it is being constructed.
In this case, hackers can surreptitiously replace source code sitting in the repository with an infected version. The result is that the Trojan horse could start doing its dirty work before the application ever gets to test phase, or depending on the design of the malware, at any point thereafter.
For instance, if the software depends on external components from the open source server, attackers can target the server or the DNS to hijack the callback to a malicious server. Damage could also come through corruption to the actual software build that results.
In turn, it could corrupt the build server, causing it to proliferate builds that are then sent to the test environment, where they could wreak more havoc.
And should the infected software somehow make it through the test, the malware could attack once the software is in production, corrupting other applications that interact with it.
Fortify has written a paper documenting the exploit and release a new rule pack to its tooling to help developers identify and eliminate the threat. The update to the rule pack also includes support for CWE, an emerging standard that specifies a common language for identifying software vulnerabilities.
The rule pack is available from Fortify now.
Our View
Our first reaction to the news was, Is nothing sacred anymore?
The open source style of development emerged as an idealistic reaction to the reality that the proprietary technology of commercial software vendors was increasingly posing a hurdle to pure innovation. It also fostered a community ethic for doing good, and an atmosphere of trust across that virtual community.
And, as success stories like Linux or JBoss attest, open source has proven an extremely effective, if occasionally chaotic development model that opens up the world’s largest virtual software R&D team. In this case, it proved that doing good could also mean doing profitable.
But at some point, reality had to rear its ugly head, with cracks appearing inside the wall garden of trust. Not surprisingly, the most effective mode of attack inside the open source community would wind up targeting the human behavior patterns prevailing inside it.
In that sense, the newly discovered build-process injections have something in common with the infamous Love bug virus of a decade ago: they both took advantage of the fact that in certain situations, we will all let our guard down. In the first case, it was a human tendency to find out who was secretly infatuated with you, or to satisfy some feeling of unrequited love.
Yes, we’ll confess. In our case, the love bug came from an attractive public relations contact, who had a rather melodic name and happened to be rather attractive. And like a social disease, we found ourselves faced with plenty of clean-up during the proverbial morning after.
In the current case, the most effective form of attack inside an open source community would therefore target the level of trust that normally exists between virtual strangers. If you have been working with an open source program, you’ll tend to trust that server, and therefore might not observe the normal protections or corporate policies against downloading executables from outside the firewalls.
Given the success of the open source development model, it was inevitable that reality would charge in at some point. A sign of maturity will a shift on the part of the open source community to adopting the software version of safe sex.
